There’s great news for anyone affected by the CrypBoss, HydraCrypt, and UmbreCrypt ransomware. Fabian Wosar, a researcher at Emsisoft, has managed to reverse-engineer them, and in the process has released a program that is able to decrypt files that would otherwise be lost.

These three malware programs are very similar. Here’s what you need to know about them, and how you can get your files back.

There’s been a lot of research into the CrypBoss family by some of the biggest names in computer security research. The source code to CrypBoss was leaked last year on PasteBin, and was almost immediately devoured by the security community. Late last week, McAfee published one of the best analyses of HydraCrypt, which explained how it works at its lowest levels.

The Differences Between HydraCrypt and UmbreCrypt

In terms of their essential functionality, HydraCrypt and UmbreCrypt both do the same thing. When they first infect a system, they start encrypting files based upon their file extension, using a strong form of asymmetric encryption.

They also have other non-core behaviors that are pretty common within ransomware software.

For example, both allow the attacker to upload and execute additional software to the infected machine. Both delete the shadow copies of the encrypted files, making it impossible to restore them.

Perhaps the biggest difference between the two programs is the way in which they “ransom” the files back.

UmbreCrypt is very matter-of-fact. It tells the victims that they’ve been infected, and there’s no chance they’ll get their files back without co-operating. For the victim to start the decryption process, they need to send an email to one of two addresses. These are hosted on “engineer.com” and “consultant.com” respectively.

Shortly after, someone from UmbreCrypt will respond with payment information. The ransomware notice doesn’t tell the victim how much they’re going to pay, although it does tell the victim that the fee will be multiplied if they don’t pay within 72 hours.

Hilariously, the instructions provided by UmbreCrypt tell the victim not to email them with “threats and rudeness”. They even provide a sample email format for victims to use.

HydraCrypt differs slightly in the way that their ransom note is far more threatening.

They say that unless the victim doesn’t pay up in 72 hours, they’ll issue a sanction. This can be an increase in ransom, or the destruction of the private key, thereby making it impossible to decrypt the files.

How To Get Your Files Back

Like we mentioned earlier, Emisoft’s Fabian Wosar has been able to break the encryption used, and has released a tool to get your files back, called DecryptHydraCrypt.

For it to work, you need to have two files on hand. These should be any encrypted file, plus an unencrypted copy of that file. If you’ve got a document on your hard-drive that you backed up to Google Drive or your email account, use this.

Alternatively, if you don’t have this, just look for an encrypted PNG file, and use any other random PNG file that you either create yourself, or download from the Internet.

Then, drag and drop them into the decryption app. It’ll then kick into action, and start trying to determine the private key.

You should be warned that this won’t be instantaneous. The decryptor will be doing some pretty complicated math to work out your decryption key, and this process could potentially take several days, depending on your CPU.

Once it’s worked out the decryption key, it’ll open up a window and allow you to select the folders whose contents you want to decrypt. This works recursively, so if you’ve got a folder in a folder, you’ll only need to select the root folder.

It’s worth noting that HydraCrypt and UmbreCrypt have a flaw, wherein the final 15 bytes of each encrypted file are damaged irretrievably.

This shouldn’t trouble you too much, as these bytes are usually used for padding or non-essential metadata. Fluff, basically. But if you can’t open your decrypted files, try opening them with a file restore tool.

No Luck?

There’s a chance that this won’t work for you. That could be for an number of reasons. The most likely is that you’re trying to run it on a ransomware program that isn’t HydraCrypt, CrypBoss, or UmbraCrypt.

Another possibility is that the makers of the malware modified it to use a different encryption algorithm.

At this point, you’ve got a couple of options.

The quickest and most promising bet is to pay the ransom. This varies quite a bit, but generally hovers around the $300 mark, and will see your files restored in a few hours.

It should go without saying that you’re dealing with organized criminals, so there’s no guarantees they’ll actually decrypt the files, and if you’re not happy, you’ve got no chance of getting a refund.

You should also consider the the argument that paying these ransoms perpetuates the spread of ransomware, and continues to make it financially lucrative for the developers to write ransomware programs.

There’s no guarantee for this though. Quite often, there’s no technological solution to getting your files back without paying a ransom.

Prevention is Better Than A Cure

Of course, the most effective way of dealing with ransomware programs is to ensure you’re not infected in the first place. By taking some simple precautions, like running a fully updated antivirus, and not downloading files from suspect places, you can mitigate your chances of getting infected.

Were you affected by HydraCrypt or UmbreCrypt? Have you managed to get your files back? Let me know in the comments below.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Anonymous

February 15, 2016 at 5:53 pm

Prevention? There really is no guarantee that a computer will never be infected. Yes, keeping OS and antivirus updated is important -- but another critical piece is to maintain backup files!

Buy an external drive or flash drive. Connect / plug in and make backup's of your data regularly -- then leave the drive disconnected / unplugged. Why? Because cryptowares will often encrypt user files on all drives that are connected / plugged in / networked - rendering both your working and backup files useless.

Matthew Hughes is a software developer and writer from Liverpool, England. He is seldom found without a cup of strong black coffee in his hand and absolutely adores his Macbook Pro and his camera. You can read his blog at http://www.matthewhughes.co.uk and follow him on twitter at @matthewhughes.